It seems the issue is caused by the issue with the Azure Premium P1/P2 license. Recently we updated the licenses for all in the company and some of those licenses don't work properly with Sentinel.
BehaviorAnalytics stopped collecting FailedLogon events
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 53%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDK%3C/text%3E%3C/svg%3E)
Dmitriy Kolesnikov
11
Reputation points
Hi there.
Starting from April 2022 we experience the situation when the query to the BehaviorAnalytics table doesn't select any records with the ActivityType containing 'FailedLogOn'. And there are no records like that if you select the records without any filters.
I checked all connected logs and everything looks enabled.
Could you please guide me on how to fix this?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Sentinel
2 answers
Sort by: Most helpful
-
-
Andrew Blumhardt 10,066 Reputation points Microsoft Employee2022-05-02T15:46:44.003+00:00 I would start by checking the source tables for activity. Make sure your AAD Audit and Signin Logs are flowing. Maybe reset the UEBA settings. It may need reauthorization.
https://learn.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics